A new report from Cisco suggests that GDPR compliance reduces data breach impact. Incident response, legal and security experts agree but caution not to rely on compliance alone.

Compliance can be costly and often feels more like red tape and a barrier to business than anything that provides a benefit. A report by EY and the International Association of Privacy Professionals (IAPP) estimates that organizations have spend an average of $3 million to achieve compliance with the European Union’s General Data Protection Regulation (GDPR), a sweeping piece of legislation that affects any company that stores or processes data on European Union (EU) citizens.

Aside from reducing the chance of large fines from the likes of the Information Commisioner’s Office (ICO) or the Commission nationale de l'informatique et des libertés (CNIL), what are the quantifiable business outcomes that GDPR provides?

Achieving GDPR compliance may have some quantifiable benefits in reducing the potential risk and impact of data breaches. Proper data mapping, greater organization of data, encryption, and a general reduction in data that’s being collected can all help a company reduce some of its risk.

According to Cisco’s 2019 Data Privacy Benchmark Study, organizations with mature privacy functions were more likely to know where its personally identifiable information (PII) is located (and how it is used) and have a catalogue of its data assets. “Achieving operational efficiency from having data organized and catalogued” and “mitigating losses from data breaches” were listed as two of the top six benefits of GDPR-related privacy investments given by the report’s respondents.

Fifty-nine percent of the 3,200 security professionals surveyed from 18 countries across all major industries and geographic regions defined themselves as GDPR-ready (meeting most or all GDPR requirements). Those GDPR-ready companies are reportedly less likely to have experienced a breach in the last year, and those that did suffer breaches lost fewer records and therefore saw smaller incident costs.

How does GDPR reduce data breach risk?

“Organizations which have done the work to inventory their data have much better visibility to their data, how it is used, and the associated risks,” says Robert Waitman, director of strategy and planning, Security and Trust Office at Cisco and lead author of the study. “They have identified the lawful purpose for processing, and they have also had to remove or delete any data that doesn’t meet this standard. They likely have less data available overall, and the data they do have is more appropriately protected.”

Attackers that do gain access might find less or no exploitable data at GDPR-compliant companies. “It is not surprising that the likelihood of breach is lower, the number of records impacted is lower, and the overall costs of the breach is lower,” says Waitman.

According to the report, 74 percent of companies listed as GDPR-ready suffered breaches compared to 80 percent of those companies that expect to be compliant within 12 months and 89 percent of those who don’t expect to be compliant in the next 12 months. The average number of records affected during a breach by GDPR-ready companies was 79,000, compared to 100,000 for those looking to be GDPR-ready in the next year, and 212,000 for the laggards. As a result, associated costs around incidents were lower. Only 37 percent of GDPR-ready companies had a loss of over $500,000 last year versus 46 percent for the soon-to-be compliant and 64 percent of the least GDPR ready.

“Any organization that has been through a well-planned GDPR programme will have a much better understanding of the data that they hold, the controls in place and the risks that need to be managed” says Martin Whitworth, research director for European data security and privacy at IDC. “This, inevitably, has a positive effect on the security posture. When remediating actions are undertaken (process improvements, new controls, etc.) this will further improve the organizational security regime.”

GDPR compliance alone won’t reduce risk

It’s still less than a year since GDPR came into effect and there is little evidence elsewhere to support Cisco’s claims that compliance reduced the risk and impact of data breaches. However, there’s a feeling amongst regulators, consultants and vendors that there is a correlation.

“Adherence to the security requirements of the GDPR does not provide any guarantees that security breaches will not occur,” says a spokesperson for the UK ICO. “However, the adoption of appropriate technical and organizational measures should reduce the likelihood of such incidents and, in the event that a breach does occur, put the organisation in a better position to mitigate the risks and, where necessary, report the incident to and co-operate with the ICO.”

Matt Wilson, chief information security advisor at BTB Security, agrees that while organizations adopting the key tenets of GDPR will naturally start improving their information security, compliance alone isn’t enough to reduce risk. “Being compliant with GDPR, or any other regulation for that matter, doesn't make an organization secure, but it can inspire positive change. The risk of breach won't be zero, but they'll move the needle in a meaningful way that should be measurable.”

Joan Antokol, partner at Park Legal LLC, explains that many multinationals have long had strong privacy frameworks and privacy officers in place, and so for them GDPR has been more about formalizing their privacy efforts with smaller companies taking privacy more seriously in the face of potentially large fines. “I think the GDPR hasn't raised the standards, per se,” she says. “They've added more terminology such as encryption and disaster recovery and things like that, added more information for organizations to know the expectations. “The stakes have changed, the stakes if you get it wrong, or if you fail to comply, are now significantly higher under the GDPR”

CSO reached out to various companies, but none had hard data on whether compliance helped reduce their risk or impact of a breach. The incident response providers contacted saw a positive relationship. “Many of the most exploited weaknesses we find in our incident response work are remedied under GDPR requirements,” says Christopher Gerg, vice president of risk management at incident response firm Gillware. “When we have investigated incidents and breaches with organizations with a mature organizational information security program like those mandated by GDPR, we find that the incidents are typically better contained, lower impact, and easier to remediate.”

“As more incidents occur with GDPR-relevant organizations, we expect that we will be able to draw more conclusive correlations, but our real-world experience in incident response says that for organizations that are truly GDPR compliant, incidents will be very unlikely,” Gerg adds.

Quantifying GDPR’s benefits still hard

When asked if there was a way to better quantify the benefits of GDPR on an organization, IDC’s Whitworth advised that the focus should not be on cost benefits but as a risk management/mitigation exercise including:

How much better companies understand the data they hold, the associated risks, and the appropriate controls that they put in place

What efficiencies they have been able to introduce into their business processes

Data storage efficiencies (by removing unnecessary data)

Park Legal’s Antokol adds that many of the privacy officers are being inundated with reports of potential GDPR breaches by company employees, giving companies much better visibility into processes and potential issue. That can have both positive and negative aspects.

“GDPR awareness training has caused employees to become much more aware of situations that maybe wouldn't have been reported in the past,” she says, “but individuals are then saying, 'Oh, my God, we’re in violation of the GDPR' and I have to let them know that we make those determinations, not you.”

The openness of the wording within the GDPR and the fact that there’s very little in the way of specific technology requirements means the benefits of compliance may not be shared equally, depending on how strongly the principles and spirit of the legislation are adopted. “The interesting part is GDPR does not prescribe exact security requirements, and states companies must provide a ‘reasonable’ level of protection for personal data which leaves room for subjective interpretation from both sides,” says Shawn Burke, CSO at Sungard Availability Services. “The benefit of GDPR compliance for security organizations is they have a better understanding of where the sensitive data exists and how it’s being processed, and having better visibility and accountability is certainly a formula to reduce the likelihood of suffering a data breach.”